Two-way SSL or One-way SSL when its one way rest call?


I created a client-rest-api which calls a server-rest-api (one way post call). My client-rest-api uses certificates issued by the server-rest-api. However my client-rest-api never issued any certificates to the server-rest-api. Does it come under one-way-ssl or two-way-ssl?

Event though its just a one way call from client to server, I am thinking its two-way-ssl since here server-rest-api validates that client is having the proper certificates issued by the server?


Answers:


One-way SSL authentication is if the client only verifies the certificate of the server. This validation is done to make sure that it is the expected server, i.e. no man in the middle attack.

Two-way SSL authentication (or better mutual authentication or client authentication) is if the server also verifies the certificate of the client. This is done to authenticate the client against the server using a certificate.

This means it does not matter if REST is involved it or not. It also does not matter who issued the certificates. All what matters is the communication at the TLS layer, i.e. if the server requests a client certificate and the client sends it. Since it looks like from your description that the latter is the case it is two-way SSL authentication. But I really recommend to call it "mutual authentication" or "client authentication" because this way it is less confusing what is actually done.